The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week” posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.
Comprehensive National Cybersecurity Initiative: Legal Authorities, Policy Considerations
March 10th, 2009
A standing question about cybersecurity is the respective roles of the executive and legislative branches. President Obama has made cybersecurity a priority in the White House; his commitment to the issue came early when he asked for top-to-bottom governmental review of cybersecurity efforts. Another example of Obama’s interest in making cybersecurity a primary issue is his announcement to create a “Cybersecurity Czar” in the White House. Meanwhile, some in Congress have gone their own way, for example, with the introduction of the Cybersecurity Act of 2009. Although the executive branch might seem like the logical place to have cybersecurity authority, this CRS Report suggests that the President’s cybersecurity authority could be disrupted (or reaffirmed) by Congressional action.
The central idea is that cybersecurity defies categorization and that it is unclear where authority for executive action is given. The significance of this report is not only that it serves as an excellent introduction to executive action on cybersecurity like the Comprehensive National Cybersecurity Initiative (CNCI), but that this is the report Members of Congress read to understand their own authority on the issue. As the report states, “to be legally authorized, the CNCI and any executive-branch action must have some basis in statutory or constitutional law.” The problem is that cybersecurity objectives are likely to be “broad governmental reforms and enhanced partnerships with the private sector.” Current statutory law does not grant these powers. For instance, the Federal Information Security Management Act of 2002 deals with mostly administrative measures on a smaller scale than what the CNCI needs, while criminal provisions do not deal with preventing cyber attacks. There are holes in the statutory framework–some of the CNCI’s objectives might be covered under the President’s statutory authority, some may not.
The alternative is that cybersecurity could fall under the constitutionally given executive powers–the President is the Commander in Chief and during the inauguration, swears to protect the nation from imminent threats. If cybersecurity is categorized as national security, then the President and Congress share powers. To illuminate this area, the report refers to Justice Robert Jackson’s concurring opinion in Youngstown Steel & Tube Co. Jackson provides a framework for the President’s constitutional authority in relation to Congress. Under the Youngstown framework, the President may implement cybersecurity policy until Congress takes action, due to their shared authority. Cybersecurity legislation could grant or restrain Presidential power. Regardless of legislation, Congress maintains oversight authority.